Threat behavior

Trojan:Win32/Koobface.A is a trojan component of Win32/Koobface that replaces the local hosts file.

Installation

This trojan component is installed by other variants of Win32/Koobface, a multi-component family of malware used to compromise computers and direct them in various ways to an attacker's will. This could include using the affected computer to distribute additional malware, generate "pay-per-click" advertising revenue and other activities.

When run, this trojan drops a file as the following:

c:\1.tmp - Trojan:Win32/Koobface.A

The dropped file is then run.

Payload

Replaces hosts file

Trojan:Win32/Koobface.A replaces the contents of the hosts file with the following:

<IP address> uuu20091124.info

Where "<IP address>" is "85.13.206.114". The hosts file is commonly stored as the following:

%windir%\system32\drivers\etc\hosts.

The trojan then deletes itself.

Additional Information

For more information about Win32/Koobface, see the description elsewhere in our encyclopedia.